On the Symantec Endpoint Protection (SEP) client, in rare instances Intrusion Prevention Service (IPS) detections may include an invalid MAC address for the local or source MAC address of the devices involved.
This occurs as a result of corrupted event logs sent by the SEP client to the SEP Manager. The SEP Manager reads the ASCII strings as binary values and translates accordingly.
This issue is fixed in Symantec Endpoint Protection (SEP) 14.3 RU1. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here.